VXLAN Implementation Method, Network Device, and Communications System

ABSTRACT

A Virtual eXtensible Local Area Network (VXLAN) method comprises obtaining, by a network device, a mapping from a virtual local area network identifier VLAN ID to a VXLAN network identifier VNI; receiving, by the network device through a port, an Ethernet frame forwarded by an access device, where a VLAN tag field in the Ethernet frame includes the VLAN ID; adding, by the network device, a VXLAN header to the Ethernet frame based on the VLAN ID and the mapping to obtain a VXLAN packet, where a VNI field in the VXLAN header includes the VNI; and sending, by the network device, the VXLAN packet.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/453,245, filed on Jun. 26, 2019, which claims priority to ChinesePatent Application No. 201810670379.5, filed on Jun. 26, 2018, all ofwhich are hereby incorporated by reference in their entireties.

TECHNICAL FIELD

This application relates to the field of computers and communicationstechnologies, and in particular, to a Virtual eXtensible Local AreaNetwork (VXLAN) implementation method, a network device, and acommunications system.

BACKGROUND

In a VXLAN, a device implementing a VXLAN packet encapsulation ordecapsulation function is referred to as a VXLAN tunnel end point(VTEP). The VTEP encapsulates a layer 2 packet into a transport layerprotocol (for example, User Datagram Protocol (UDP)) packet to implementVXLAN packet encapsulation. The VTEP may be a server, or may be anetwork device (for example, a switch or a router).

In a campus network, terminal devices generally do not support a VXLAN.Therefore, the function of the VTEP is implemented by an access device.However, there are many access devices in the campus network. If all theaccess devices are required to support a VXLAN, overall deployment costsin the campus network are excessively high.

SUMMARY

This application provides a VXLAN implementation method, to reduceoverall deployment costs of a VXLAN in a campus network.

According to a first aspect, a VXLAN implementation method is provided.The method includes the following. A network device obtains a mappingfrom a Virtual Local Area Network (VLAN) identifier (ID) to a VXLANnetwork identifier (VNI). The network device receives, through a port,an Ethernet frame forwarded by an access device. A VLAN tag field in theEthernet frame includes the VLAN ID. The network device adds a VXLANheader to the Ethernet frame based on the VLAN ID and the mapping toobtain a VXLAN packet. A VNI field in the VXLAN header includes the VNI.The network device sends the VXLAN packet.

In this application, a VTEP device is the network device connected tothe access device. In other words, the VTEP device is a device fartherfrom a terminal device than the access device. Usually, there are fewerdevices farther from the terminal device. In this solution, the accessdevice does not need to support a VXLAN, and only a relatively smallquantity of network devices need to support a VXLAN such that a largequantity of access devices in a campus network that do not support aVXLAN can still be used. Therefore, deployment costs of a VXLANtechnology in the campus network are relatively low. However, becausethe network device is not directly connected to the terminal device,making it difficult to directly select the VNI for the Ethernet frame,the access device selects the VLAN ID for the Ethernet frame from theterminal device, and the network device stores the mapping from a VLANID to a VNI. After receiving the Ethernet frame from the access device,the network device adds the corresponding VXLAN header to the Ethernetframe based on the mapping from a VLAN ID to a VNI to obtain the VXLANpacket, thereby implementing a VXLAN.

If the access device serves as an authenticator, in an authenticationprocess, the network device obtains no VLAN ID authorized by anauthentication server. To ensure normal forwarding of an Ethernet framein a network, a port that is on the network device and that is connectedto the access device needs to be added (add) to an authorized VLAN of aterminal device that accesses a network using the access device. In animplementation process, there are a plurality of specific addingmanners. For example, the port on the network device is added to allVLANs.

In a possible implementation of the first aspect, another manner ofadding a port to an authorized VLAN of a terminal device by the networkdevice is provided. In an embodiment, the method further includes thefollowing. The network device receives an adding instruction from theaccess device through the port. The adding instruction includes the VLANID. The network device adds the port to a VLAN identified by the VLANID. In this manner of adding the port on the network device to the VLAN,a range of a broadcast domain can be controlled, thereby improvingsecurity.

In another possible implementation of the first aspect, the addinginstruction is a first Locator/Identifier Separation Protocol (LISP).

Optionally, the first LISP packet further carries a first packet typeindicator, and the first packet type indicator indicates that the firstLISP packet includes the VLAN ID. With the packet type indicator, thenetwork device can efficiently identify a purpose of the LISP packet, inother words, identify a type of information included in the LISP packet,to perform corresponding processing.

In another possible implementation of the first aspect, the methodfurther includes the following. The network device receives a firstauthentication packet from the access device through the port. The firstauthentication packet is used in authentication for a supplicant device.The network device records a correspondence between the port and asupplicant device address in the first authentication packet. Thenetwork device receives a second authentication packet from anauthentication server. The second authentication packet includes thesupplicant device address and the VLAN ID. The network device adds theport to a VLAN identified by the VLAN ID, based on the supplicant deviceaddress and the VLAN ID in the second authentication packet and therecorded correspondence between the supplicant device address and theport. In this manner, the network device actually serves as anauthenticator device such that a large quantity of access devices closerto a terminal device do not need to support an authentication function.Therefore, simpler and lower-cost hardware can be used forimplementation, thereby reducing deployment costs.

In another possible implementation of the first aspect, the networkdevice sends a binding instruction to the access device. The bindinginstruction includes the supplicant device address and the VLAN ID. Withthe binding instruction, the access device adds a port connected to aterminal device to an authorized VLAN of the terminal device, and adds aproper VLAN ID to a subsequent Ethernet frame sent by the terminaldevice.

Optionally, the first authentication packet is encapsulated into a firstLISP packet, the first LISP packet further carries a first packet typeindicator, and the first packet type indicator indicates that the firstLISP packet carries the authentication packet. The binding instructionis a second LISP packet, the second LISP packet further includes asecond packet type indicator, and the second packet type indicatorindicates that the second LISP packet includes a media access control(MAC) address and a VLAN ID of the terminal device.

According to a second aspect, a VXLAN implementation method is provided.The method includes the following. An authenticator device obtains aVLAN ID allocated by an authentication server to an authenticatedsupplicant device. The authenticator device sends an LISP packet to aVXLAN tunnel end point VTEP device. The LISP packet includes the VLANID. The authenticator device and the VTEP device are implemented bydifferent devices. For example, the authenticator device is an accessdevice, and the VTEP device is a network device connected to the accessdevice. The authenticator device sends the VLAN ID of the supplicantdevice to the VTEP device after authentication succeeds such that theVTEP device adds a port of the VTEP device to a specified VLAN, tocontrol a range of a broadcast domain and improve security.

In a possible implementation, the method further includes the following.The authenticator device determines a port connected to a MAC address ofthe supplicant device. The authenticator device sets a value of adefault VLAN of the port to the VLAN ID. The authenticator devicereceives an Ethernet frame from the supplicant device through the port.The authenticator device adds a VLAN tag including the VLAN ID to theEthernet frame based on the default VLAN of the port, and then forwardsthe Ethernet frame. The authenticator device adds the VLAN ID to theVLAN tag in the Ethernet frame such that the VTEP device obtains amapped VNI based on the VLAN ID in the VLAN tag in the Ethernet frame,and adds a VXLAN header to the Ethernet frame, to implement a VXLAN.

In a possible implementation, the LISP packet further includes a packettype indicator, and the packet type indicator is used to instruct theVTEP device to add a port receiving the LISP packet to a VLAN identifiedby the VLAN ID. With the packet type indicator, the network device canefficiently identify a purpose of the LISP packet, in other words,identify a type of information included in the LISP packet, to performcorresponding processing.

According to a third aspect, a VXLAN implementation method is furtherprovided. The method includes the following. An access device receivesan authentication packet from a terminal device through a port. Theterminal device is a to-be-authenticated supplicant device. The accessdevice records a correspondence between the port and a MAC address, inthe authentication packet, of the supplicant device. The access devicesends the authentication packet to a network device. The network deviceis an authenticator device and a VXLAN tunnel end point VTEP device. Theaccess device receives a binding instruction from the network device.The binding instruction includes the MAC address of the supplicantdevice and a VLAN ID. The access device sets a value of a default VLANof the port to the VLAN ID based on the correspondence and the MACaddress, in the binding instruction, of the supplicant device. In thissolution, the network device connected to the access device serves asboth the authenticator device and the VTEP device, the access deviceforwards the authentication packet between the authenticator device andthe to-be-authenticated supplicant device, and after authenticationsucceeds, the access device adds the port connected to the supplicantdevice to an authorized VLAN according to the binding instruction, tocontrol access of the supplicant device based on the authorized VLAN.

In a possible implementation, the method further includes the following.The access device receives an Ethernet frame from the terminal devicethrough the port. A source address of the Ethernet frame is the MACaddress of the supplicant device. The access device adds a VLAN tagincluding the VLAN ID to the Ethernet frame based on the default VLAN ofthe port, and then forwards the Ethernet frame. The access device addsthe VLAN ID to the VLAN tag in the Ethernet frame such that the VTEPdevice obtains a mapped VNI based on the VLAN ID in the VLAN tag in theEthernet frame, and adds a VXLAN header to the Ethernet frame, toimplement a VXLAN.

In a possible implementation, that the access device sends theauthentication packet to a network device includes the following. Theaccess device encapsulates the authentication packet using a first LISPpacket, and the access device sends the first LISP packet to the networkdevice. The authentication packet between the access device and thenetwork device is encapsulated using the LISP packet, thereby providinga feasible manner for packet authentication through transparenttransmission.

In a possible implementation, the first LISP packet further carries afirst packet type indicator, and the first packet type indicatorindicates that the first LISP packet carries the authentication packet.

In a possible implementation, the binding instruction is a second LISPpacket, the second LISP packet further includes a second packet typeindicator, and the second packet type indicator indicates that thesecond LISP packet includes the MAC address of the terminal device andthe VLAN ID. When an LISP packet can carry various types of informationto implement a plurality of purposes, with the packet type indicator,the network device can efficiently identify a purpose of a received LISPpacket, in other words, identify a type of information included in thereceived LISP packet, to perform corresponding processing.

According to a fourth aspect, a network device is provided. The networkdevice is connected to an access device. The network device includes amemory, a port, and at least one processor. The memory is configured tostore program code.

The at least one processor is configured to perform the method in anyone of the first aspect or the possible implementations of the firstaspect after reading the program code stored in the memory. For details,refer to the foregoing detailed description. Details are not describedherein again.

According to a fifth aspect, an access device is provided. The accessdevice includes a memory, a port, and at least one processor. The memoryis configured to store program code.

The at least one processor is configured to perform the method in anyone of the second aspect or the possible implementations of the secondaspect or perform the method in any one of the third aspect or thepossible implementations of the third aspect after reading the programcode stored in the memory. For details, refer to the foregoing detaileddescription. Details are not described herein again.

According to a sixth aspect, a VXLAN implementation apparatus isprovided, to perform the method in any one of the first aspect or thepossible implementations of the first aspect, or perform the method inany one of the second aspect or the possible implementations of thesecond aspect, or perform the method in any one of the third aspect orthe possible implementations of the third aspect. The VXLANimplementation apparatus includes a unit configured to perform themethod in any one of the first aspect or the possible implementations ofthe first aspect, or includes a unit configured to perform the method inany one of the second aspect or the possible implementations of thesecond aspect, or includes a unit configured to perform the method inany one of the third aspect or the possible implementations of the thirdaspect. These units may be implemented by a program module, or may beimplemented by hardware or firmware.

According to a seventh aspect, this application provides acomputer-readable storage medium. The computer-readable storage mediumis configured to store a computer software instruction to be used by theforegoing network device, and when the computer software instructionruns on a computer, the computer performs the method in any one of thefirst aspect or the possible implementations of the first aspect.Alternatively, the computer-readable storage medium is configured tostore a computer software instruction to be used by the foregoing accessdevice, and when the computer software instruction runs on a computer,the computer performs the method in any one of the second aspect or thepossible implementations of the second aspect, or the computer performsthe method in any one of the third aspect or the possibleimplementations of the third aspect.

According to an eighth aspect, a computer program product including aninstruction is provided. When the instruction runs on a computer, thecomputer performs the method in each of the foregoing aspects.

According to a ninth aspect, a communications system is provided. Thesystem includes an access device and a network device connected to theaccess device. The network device is configured to perform the method inany one of the first aspect or the possible implementations of the firstaspect.

In a possible implementation, the access device is configured to performthe method in any one of the second aspect or the possibleimplementations of the second aspect.

In a possible implementation, the access device is configured to performthe method in any one of the third aspect or the possibleimplementations of the third aspect.

BRIEF DESCRIPTION OF DRAWINGS

To describe technical solutions in embodiments of this application moreclearly, the following briefly describes accompanying drawings requiredfor describing the embodiments. Apparently, the accompanying drawings inthe following description show merely some embodiments of thisapplication, and a person of ordinary skill in the art may still deriveother drawings from these accompanying drawings without creativeefforts.

FIG. 1 is a schematic diagram of an application scenario of a VXLANimplementation method according to an embodiment of this application.

FIG. 2 is a flowchart of a VXLAN implementation method according to anembodiment of this application.

FIG. 3A is a schematic diagram of an authentication process specifiedfor port-based network access control in an embodiment of thisapplication.

FIG. 3B is a schematic diagram of a first manner of obtaining a VLAN IDof a terminal 11 by a network device according to an embodiment of thisapplication.

FIG. 3C is a schematic diagram of a second manner of obtaining a VLAN IDof a terminal 11 by a network device according to an embodiment of thisapplication.

FIG. 4 is a schematic diagram of VXLAN encapsulation according to anembodiment of this application.

FIG. 5 is a schematic structural diagram of a network device accordingto an embodiment of this application.

FIG. 6 is a schematic structural diagram of an access device accordingto an embodiment of this application.

FIG. 7A and FIG. 7B are schematic diagrams of a VXLAN implementationmethod according to an embodiment of this application.

FIG. 8 is a schematic diagram of a field structure of an LISP packetaccording to an embodiment of this application.

FIG. 9 is a schematic diagram of a first LISP packet extension manneraccording to an embodiment of this application.

FIG. 10 is a schematic diagram of a VXLAN packet header according to anembodiment of this application.

FIG. 11A and FIG. 11B are schematic diagrams of a VXLAN implementationmethod according to an embodiment of this application.

FIG. 12 is a schematic diagram of a second LISP packet extension manneraccording to an embodiment of this application.

FIG. 13 is a schematic diagram of a third LISP packet extension manneraccording to an embodiment of this application.

DESCRIPTION OF EMBODIMENTS

If a function of a VTEP is implemented on an access device, the accessdevice is required to have a relatively high hardware configuration, forexample, required to have a chip with a programming capability. Inaddition, there are a relatively large quantity of access devices.Therefore, deployment costs of such a VXLAN solution of implementing thefunction of the VTEP using the access device are excessively high. Basedon this, it is necessary to seek another solution to implement a VXLANin a campus network.

If the VTEP is implemented using a network device other than the accessdevice, there are some technical problems. For example, in a solution, anetwork device connected to the access device implements the function ofthe VTEP. However, in this solution, it is a problem for the networkdevice in the campus network to select a proper VNI for an Ethernetframe.

For the foregoing problems, embodiments of this application provide aVXLAN implementation solution. In this solution, a network devicesupporting a VXLAN protocol implements a VTEP. The network deviceobtains a mapping between a VLAN ID and a VNI. Subsequently, whenreceiving an Ethernet frame from an access device, the network deviceobtains a VLAN ID from a VLAN tag field in the Ethernet frame. Thenetwork device adds a VXLAN header to the Ethernet frame based on theVLAN ID obtained from the Ethernet frame and the mapping between a VLANID and a VNI to obtain a VXLAN packet. A VNI field in the VXLAN headerincludes the VNI to which the VLAN ID in the Ethernet frame is mapped.The network device sends the VXLAN packet. In the embodiments of thisapplication, for simple and clear differentiation, a field that is in aVXLAN packet header and that is used to fill in a VNI is referred to asa “VNI field”. In another case, a VNI is a VNI represented by a 24-bitbinary value. In this solution, the network device implements a functionof the VTEP, and access device hardware in a campus network does notneed to be upgraded to a switch supporting a VXLAN, thereby reducingdeployment costs. Further, a terminal can access a network anytime andanywhere using a large quantity of access devices in the campus networkthat do not have a VXLAN function, and is not necessarily limited to alocation for accessing the network, thereby ensuring use convenience ofthe terminal device.

Main implementation principles and specific implementations of technicalsolutions in the embodiments of the present disclosure and beneficialeffects that can be correspondingly achieved by the technical solutionsare described below in detail with reference to accompanying drawings.

FIG. 1 is a schematic diagram of an application scenario of a VXLANimplementation method according to an embodiment of this application.The method is applied to a campus network. The campus network includesterminal devices such as a terminal 11 and a terminal 21, access devicessuch as an access device 12 and an access device 22, and network devicessuch as a network device 13 and a network device 23. Optionally,depending on a network scale and an actual requirement, the campusnetwork further includes a core device 30, a network management device40, and an authentication server 50. The terminal 11 accesses a networkusing the access device 12. The network device 13 aggregates datastreams from the access device 12, and then sends the data streams tothe core device 30. The core device 30 is connected to the networkmanagement device 40 and the authentication server 50 through theInternet. The terminal 21 accesses the network using the access device22. The network device 23 aggregates data streams from the access device22, and then sends the data streams to the core device 30. A VXLANtunnel exists between the network device 13 and the network device 23,as shown by a thick dashed line in FIG. 1.

The terminal device in this embodiment of this application has a networkconnection capability, including but not limited to, a personalcomputer, a printer, a mobile phone, a server, a notebook computer, anInternet Protocol (IP) phone, a camera, a tablet computer, a wearabledevice, and the like.

The access device in this embodiment of this application is a switch ora wireless access point (AP). Unless particularly specified otherwise,the switch in this embodiment of this application is a switch that doesnot support the VXLAN protocol.

The network device in this embodiment of this application is a layer 3switch or router, and the network device supports the VXLAN protocol.

The network management device in this embodiment of this application isa system for network configuration. A network manager may manage thenetwork using a remote terminal protocol (Telnet), a managementinformation base (MIB), yet another next generation (YANG), or the like.Alternatively, when no dedicated network management device is configuredin the network, the network manager may directly log in to the terminaldevice, the access device, the network device, and the core device toconfigure addresses, ports, network connection parameters, and the likeof these devices.

The authentication server is configured to attempt to authenticate aterminal device requesting to access the network, and open up a networkservice for the terminal device based on an authentication result. Inthis embodiment of this application, after authenticating an onlineterminal device based on data such as an address and registrationinformation of the terminal device, the authentication server allocatesauthorization information to the terminal device. The authorizationinformation includes a VLAN ID. Optionally, the authorizationinformation further includes a group identifier (Group ID). Optionally,the authentication server is an authentication, authorization, andaccounting (AAA) server. Based on the VLAN ID, the network device cancontrol a range of a layer 2 broadcast domain, to improve networksecurity. Based on the group identifier and a group policy that isconfigured by the network management device, access between differentgroups can be controlled. For example, the group policy includes amatching condition and a control action, and the matching conditionincludes one or more group identifiers. In one group policy, a matchingcondition is from a group A to a group B, and a control action isallowing access, in another group policy, a matching condition is fromthe group B to a group C, and a control action is forbidding access.

In the scenario shown in FIG. 1, the network device implements a VTEP,the VXLAN tunnel exists between the network device 13 and the networkdevice 23, and a packet between the terminal 11 and the terminal 21 istransmitted through the VXLAN tunnel. A principle of implementing afunction of the VTEP by the network device is described below withreference to FIG. 1 and FIG. 2.

FIG. 2 is a flowchart of a VXLAN implementation method according to anembodiment of this application. FIG. 2 mainly describes, from aperspective of a network device, a principle of implementing a VTEP bythe network device. It may be understood that, the network device inFIG. 2 may be the network device 13 or the network device 23 in FIG. 1.A procedure shown in FIG. 2 includes step 200 to step 203.

Step 200: The network device obtains a mapping from a VLAN ID to a VNI.

A VLAN tag field in an Ethernet frame may include a 12-bit VLAN ID. TheVLAN ID is used to divide a layer 2 network into a plurality ofdifferent broadcast domains. Neither broadcast traffic nor unicasttraffic in one VLAN is forwarded to another VLAN. Division based on aswitch port is a common VLAN division manner. Different ports on aswitch are separately configured to correspond to different VLANs. Forexample, four ports on a switch correspond to a VLAN 10, and anotherport corresponds to a VLAN 20. In a VXLAN technology, the layer 2network is segmented using a 24-bit VNI, to transmit layer 2 data in alayer 3 network. Communication cannot be directly performed betweenlayer 2 networks indicated by different VNIs.

The mapping from a VLAN ID to a VNI may be manually configured on thenetwork device. Alternatively, the network device may receive themapping from a VLAN ID to a VNI from another device (for example, acontroller). For example, the network device is the network device 13 inFIG. 1. A network manager may directly log in to a command-lineinterface provided by an operating system of the network device 13, andconfigure the mapping from a VLAN ID to a VNI on the network device 13.Optionally, the mapping from a VLAN ID to a VNI is shown in Table 1.

TABLE 1 VLAN ID VNI VLAN 10 VNI 1000 VLAN 20 VNI 2000 . . . . . .

Step 201: The network device receives, through a port, an Ethernet frameforwarded by an access device, where a VLAN tag field in the Ethernetframe includes the VLAN ID. The Ethernet frame includes a source addressfield, a destination address field, and a VLAN tag protocol identifierfield. In this application, the VLAN tag protocol identifier field isreferred to as a VLAN tag field. Because the Ethernet frame is a layer 2frame, the source address field and the destination address field in theEthernet frame in this application each include a MAC address. TheEthernet frame further includes another field (for example, a type fieldor a length field) and a data portion. For example, the data portion isa layer 3 protocol data unit. For a Transmission ControlProtocol/Internet Protocol (TCP/IP) protocol family, the layer 3protocol data unit is an IP data packet.

Step 202: The network device adds a VXLAN header to the Ethernet framebased on the VLAN ID in the Ethernet frame and the mapping to obtain aVXLAN packet, where a VNI field in the VXLAN header includes the VNI.

Step 203: The network device sends the VXLAN packet.

The scenario shown in FIG. 1 is still used as an example. After gettingonline, the terminal 11 can access a network only after completing anauthentication process. Before the terminal 11 is authenticated, theaccess device 12 connected to the terminal 11 allows only anauthentication packet related to the terminal 11 to be forwarded. Ifauthentication succeeds, the authentication server authorizes theterminal 11, and instructs the access device 12 to change a state of aport connected to the terminal 11 from “uncontrolled” to “controlled”.After the authentication succeeds, the controlled port that is on theaccess device 12 and that is connected to the terminal 11 may forward anEthernet frame from the terminal 11 or forward an Ethernet frame to theterminal 11 such that the terminal 11 can access the network. After theauthentication succeeds, the authentication server may further configureother authorization information for the terminal 11, for example,allocate a VLAN ID and a group identifier to the terminal 11, to controlnetwork access behavior of the terminal 11 using the VLAN ID and thegroup identifier. After the terminal 11 is authenticated and authorized,the access device 12 generates, in a user information table (shown inTable 3 below), an entry related to the terminal 11.

After the terminal 11 is authenticated, the access device 12 receives anEthernet frame sent by the terminal 11, and based on a number of a portreceiving the Ethernet frame, finds, in the user information table(shown in Table 3 below) stored on the access device 12, the VLAN 10corresponding to the terminal 11. The access device 12 adds the VLAN 10to the Ethernet frame sent by the terminal 11. Optionally, the accessdevice 12 adds the VLAN 10 to a VLAN tag field in the Ethernet frame.The access device 12 sends, to the network device 13, the Ethernet frameto which the VLAN 10 is added.

After receiving the Ethernet frame, based on the VLAN 10 in the Ethernetframe, the network device 13 finds, in the mapping shown in Table 1 froma VLAN ID to a VNI, a VNI 1000 to which the VLAN 10 is mapped. Thenetwork device 13 performs VXLAN encapsulation on the received Ethernetframe. In an encapsulation process, the found VNI 1000 is written to theVNI field in the VXLAN header. The network device 13 sends a packetobtained after encapsulation to the network device 23 through the VXLANtunnel.

FIG. 4 is a schematic diagram of performing VXLAN encapsulation on anEthernet frame by the network device 13. During VXLAN encapsulation, aVXLAN header, an outer UDP header, and an outer IP header aresequentially added to the received Ethernet frame. The Ethernet frameincludes an Ethernet frame header and a data portion. For example, thedata portion is an IP packet. A source address in the Ethernet frameheader is a MAC address of the terminal 11, and a destination address isa MAC address of the terminal 21. A source address in an IP packetheader is an IP address of the terminal 11, and a destination address isan IP address of the terminal 21.

A source address in an outer Ethernet header is a MAC address of thenetwork device 13, and a destination address is a MAC address of thenetwork device 23. A source address in the outer IP header is an IPaddress of the network device 13, and a destination address is an IPaddress of the network device 23.

In the VXLAN implementation method provided in this embodiment of thisapplication, a terminal device accesses a network using the accessdevice, and the network device that is connected to the access deviceand that supports the VXLAN protocol implements a VTEP. The mapping froma VLAN ID to a VNI is configured on the network device. Subsequently,after receiving the Ethernet frame from the access device, the networkdevice adds the VXLAN header to the Ethernet frame based on the mappingfrom a VLAN ID to a VNI and the VLAN ID in the Ethernet frame to obtainthe VXLAN packet. The VXLAN header includes the VNI corresponding to theVLAN ID in the Ethernet frame. In this solution, the access device doesnot need to support a VXLAN, a large quantity of existing layer 2switches or APs can still be used in a campus network, and access devicehardware in the campus network does not need to be upgraded to a switchsupporting a VXLAN, thereby reducing deployment costs.

In step 201, after the network device receives the Ethernet frame sentby the access device, to send response data that is from the network andthat corresponds to the Ethernet frame to the terminal device, thenetwork device needs to add the port that is on the network device andthat is connected to the access device to an authorized VLAN of theterminal (which is a VLAN identified by the VLAN ID in the authorizationinformation generated by the authentication server for the terminaldevice after the terminal device is authenticated). Ports that are onthe access device and the network device and that are related to theterminal device are added to the authorized VLAN such that it can beensured that the terminal device can access the network using an accessdevice at any location in the campus network, the terminal does not needto access the network using a particular access device or through aparticular port on an access device, thereby ensuring use convenience ofthe terminal device.

Optionally, the port on the network device may be added to theauthorized VLAN of the terminal using a plurality of methods. Forexample, the port on the network device is added to all VLANs.Alternatively, a process of interaction between the access device andthe network device may be improved, and after the terminal isauthenticated and authorized, the port on the network device is added tothe authorized VLAN of the terminal. The former solution ischaracterized by simplicity and convenience, and no process ofinteraction between the access device and the network device isrequired. However, adding the port to all the VLANs leads to anexcessively large broadcast domain, and lowers network security.

The following describes two specific manners of improving a process ofinteraction between an access device and a network device to add a porton the network device to an authorized VLAN of a terminal.

For ease of understanding a process of packet exchange between an accessdevice and a network device to be described below, an authenticationprocess is briefly described first. The packet exchange process to bedescribed below is associated with the authentication process. Terminaldevice authentication is intended to prevent an unauthorized terminaldevice from accessing a network, for example, a local area network or awide area network, through an access port to obtain services provided bythe network. Three roles, a to-be-authenticated supplicant, anauthenticator, and an authentication server are generally involved inthe authentication process. In the authentication process, theto-be-authenticated supplicant is a terminal device, the authenticatoris an access device, and the authentication server is a server, forexample, an AAA server. For simplicity and clarity, in this embodimentof this application, only the Extensible Authentication Protocol (EAP)is used as an example for a simplified description of the process ofpacket exchange between the access device and the network device. Whenthe terminal device and a network side perform an authenticationprocedure specified in another standard, a process, based on theauthentication procedure, of information exchange between the accessdevice and the network device is similar thereto. Processes are notenumerated.

An EAP authentication process is shown in FIG. 3A. Before an accessdevice performs authentication, a port for connecting a terminal deviceto the access device is in an uncontrolled state, and allows only an EAPpacket to pass through. After the authentication succeeds, other data ofthe terminal device can be transmitted through the port of the accessdevice. The authentication process mainly includes step 301 to step 310.

Step 301: The terminal device sends an Extensible AuthenticationProtocol over local area network (EAPoL)-Start packet to initiate anauthentication process.

Step 302: After receiving the EAPoL-Start packet, the access devicesends an EAP Request packet to the terminal device, to request theterminal device to send a user identifier. In addition, the accessdevice creates a new entry in a user information table. The entryrecords a number of a port receiving the EAPoL-Start packet, andinformation in the EAPoL-Start packet, such as a MAC address of theterminal device and a user name.

Step 303: The terminal device generates an EAP Response packet,encapsulates the user identifier into the EAP Response packet, and sendsthe EAP Response packet to the access device.

Step 304: The access device encapsulates the received EAP Response andsome attribute information of the access device, for example,information such as a network access server (NAS) IP address and a NASport number, into a Remote Authentication Dial In User Service (RADIUS)Access-Request packet, and sends the RADIUS Access-Request packet to anauthentication server.

Step 305: After receiving the RADIUS Access-Request packet, theauthentication server extracts the user identifier and searches adatabase. If the user identifier is not found, the packet is directlydiscarded. If the user identifier exists, the authentication serverextracts information such as a user password, and performs MD5encryption using a randomly generated encryption word, to generate acipher. In addition, the authentication server encapsulates the randomencryption word into an EAP Challenge Request packet, then encapsulatesthe EAP Challenge Request packet into an EAP-Message attribute of aRADIUS Access-Challenge packet, and sends the RADIUS Access-Challengepacket to the access device.

Step 306: After receiving the RADIUS Access-Challenge packet, the accessdevice sends, to the terminal device, the EAP Challenge Request packetthat is encapsulated into the RADIUS Access-Challenge packet.

Step 307: The terminal device performs, using a random encryption wordsent by the authentication server, a same MD5 encryption operation oninformation such as a locally stored user identifier and password togenerate a cipher, encapsulates the cipher into an EAP ChallengeResponse packet, and sends the EAP Challenge Response packet to theaccess device.

Step 308: After receiving the EAP Challenge Response packet, the accessdevice encapsulates the EAP Challenge Response packet into anEAP-Message attribute of a RADIUS Access-Request packet, and sends theRADIUS Access-Request packet to the authentication server.

Step 309: The authentication server performs decapsulation, and comparesthe cipher returned by the terminal device with a cipher that isgenerated by the authentication server in step 305. If the two ciphersare inconsistent, authentication fails, and the authentication serverreturns a RADIUS Access-Reject message, and keeps a port in a closedstate. If the two ciphers are consistent, authentication succeeds, andthe authentication server encapsulates an EAP Success packet into anattribute of a RADIUS Access-Accept packet, and sends the RADIUSAccess-Accept packet to the access device. In addition, the RADIUSAccess-Accept packet further carries other authorization information,for example, information such as a VLAN ID and a group identifier.

Step 310: After receiving a RADIUS Access-Accept sent by theauthentication server, the access device changes a state of a port to“controlled”, extracts an EAP Success packet from the RADIUSAccess-Accept, and sends the EAP Success packet to the terminal device.In addition, the access device adds, to the newly created entry in theuser information table, the authorization information including the VLANID and the group identifier.

In this embodiment of this application, it is assumed that the VLAN IDallocated by the authentication server to the terminal 11 is the VLAN10.

To help the network device 13 to conveniently add the port connected tothe access device 12 to the authorized VLAN of the terminal 11, aninteraction manner used by the network device 13 and the access device12 includes but is not limited to the following manner 1 and manner 2.

Manner 1: The network device receives an adding instruction from theaccess device through the port. The adding instruction includes the VLANID. The network device adds the port to a VLAN identified by the VLANID.

In the manner 1, an authenticator device is the access device 12, and anauthentication process is shown in FIG. 3A. After authenticationsucceeds, the access device 12 obtains a VLAN ID allocated by theauthentication server to an authenticated supplicant device. The accessdevice 12 sends the adding instruction to the network device 13 using acontrol plane protocol between the access device 12 and the networkdevice 13, as shown in FIG. 3B. The adding instruction includes the VLAN10. After receiving the adding instruction through a port indicated by aport number E1/0/0 (referred to as a port E1/0/0 below), the networkdevice 13 adds the port E1/0/0 to the VLAN 10.

The control plane protocol may be a newly defined protocol, or may beimplemented by making some extensions to an existing protocol, forexample, implemented by extending LISP. An example of an extensionmanner is given in the following embodiments.

In the manner 1, the access device serves as an authenticator device,and after the terminal device is authenticated, the access devicenotifies the network device of the authorized VLAN ID of the terminaldevice using the adding instruction such that an existing networkauthentication procedure is only slightly modified, and implementationcosts are relatively low.

Manner 2: An authenticator device is the network device 13. The accessdevice forwards authentication packets between the to-be-authenticatedsupplicant device and the authenticator device, in an embodiment, sends,to the authenticator device, an authentication packet sent by theterminal device, and sends, to the terminal device, an authenticationpacket sent by the authenticator device. The network device receives afirst authentication packet from the access device through the port. Thefirst authentication packet provides authentication for the supplicantdevice. The network device records a correspondence between the port(which is a port receiving the first authentication packet) and asupplicant device address in the first authentication packet. Thenetwork device receives a second authentication packet from theauthentication server. The second authentication packet includes thesupplicant device address and the VLAN ID. The network device adds theport to the VLAN identified by the VLAN ID, based on the supplicantdevice address and the VLAN ID in the second authentication packet andthe recorded correspondence between the port and the supplicant deviceaddress.

As shown in FIG. 3C, the IP address of the network device 13 isconfigured on the access device 12. The access device 12 and the networkdevice 13 transmit authentication packets based on a control planeprotocol. The control plane protocol may be a newly defined protocol, ormay be implemented by making some extensions to an existing protocol,for example, implemented by extending LISP. An example of an extensionmanner is given in the following embodiments. An authentication channelis actually a particular manner used to encapsulate a packet.

After the terminal 11 gets online and an authentication process of theterminal 11 is triggered, the access device 12 receives a firstauthentication packet (for example, an EAPoL-Start packet) sent by theterminal, and creates a new entry in a user information table (or aforwarding table). The entry records the MAC address of the terminal 11(a to-be-authenticated supplicant device) in the first authenticationpacket and a number of a port receiving the first authentication packet.The access device 12 encapsulates the first authentication packet (forexample, the EAPoL-Start packet) of the terminal 11 using a controlplane protocol, and sends a packet obtained after encapsulation to thenetwork device 13. After decapsulating the packet sent through theauthentication channel to obtain the first authentication packet, thenetwork device 13 performs an authentication procedure of the terminal11. In a process of performing the authentication procedure, the networkdevice 13 decapsulates a packet sent by the access device 12, andprocesses, as specified in a standard, a packet (for example, theEAPoL-Start packet, an EAP Response packet, or an EAP Challenge Responsepacket) obtained after decapsulation. In addition, the network device 13encapsulates, using the control plane protocol, a packet (for example,an EAP Request) to be sent to the terminal 11, and sends a packetobtained after encapsulation to the access device 12. The network device13 further receives a packet (for example, a RADIUS Access-Challengepacket or a RADIUS Access-Accept) sent by the authentication server,processes the packet according to the authentication procedure,encapsulates a packet that is obtained after processing and that needsto be sent to the terminal device, and then sends a packet (for example,an EAP Challenge Request or EAP Success packet) obtained afterencapsulation to the access device 12 through the authenticationchannel.

The access device 12 receives, through the authentication channel, anauthentication packet (for example, an EAP Request packet or an EAPChallenge Request or EAP Success packet in FIG. 3C) sent by the networkdevice 13, decapsulates the packet sent through the authenticationchannel, and sends a packet obtained after decapsulation to the terminal11.

After receiving a second authentication packet (for example, a RADIUSAccess-Accept packet) sent by the authentication server, the networkdevice 13 not only sends, to the access device 12 through theauthentication channel, an EAP Success packet that is encapsulated intothe RADIUS Access-Accept packet, but also obtains other authorizationinformation, for example, information such as the VLAN ID and the groupidentifier, from the RADIUS Access-Accept packet sent by theauthentication server. The recorded port receiving the firstauthentication packet is added to the VLAN identified by theauthorization information VLAN ID. After receiving the EAP Successpacket, the access device 12 sets the port connected to the terminal 11to the controlled state.

Optionally, referring to FIG. 3C, the network device 13 furtherencapsulates the MAC address of the terminal 11 and the VLAN ID in theauthorization information using the control plane protocol, and thensends a packet obtained after encapsulation to the access device. Theaccess device 12 decapsulates the received packet to obtain the MACaddress of the terminal 11 and the VLAN ID of the terminal 11, obtainsthe created entry by querying the user information table (or theforwarding table) based on the MAC address of the terminal 11, and addsthe VLAN ID of the terminal 11 to the entry. A correspondence betweenthe port and the VLAN ID is established using the entry. In other words,a value of a default VLAN of the port connected to the terminal 11 isset to the VLAN ID. The control plane protocol herein may be a newlydefined protocol, or may be implemented by making some extension to anexisting protocol, for example, implemented by extending LISP. Anexample of an extension manner is given in the following embodiments.

In this embodiment of this application, after the terminal 11 isauthenticated, the terminal 11 can communicate with another terminalwithin an authorized range. For example, when the terminal 11 initiatesaccess to another terminal, the terminal 11 generates an Ethernet frame.A source address of the Ethernet frame is the MAC address of theterminal 11. After receiving the Ethernet frame sent by the terminal 11,the access device 12 adds the VLAN ID of the default VLAN to a VLAN tagfield in the Ethernet frame based on the default VLAN of the portreceiving the Ethernet frame. Then the access device 12 sends, to thenetwork device 13, the Ethernet frame with an Ethernet header includingthe added VLAN ID to which the VLAN ID is added.

In the manner 2, the network device performs the authenticationprocedure of the terminal device, and the access device and the networkdevice transmit authentication packets to each other using LISP. Anauthenticator is the network device farther from the terminal such thata large quantity of access devices closer to the terminal do not need tosupport a VXLAN, and even may not need to support authentication.Therefore, simpler and lower-cost hardware can be used forimplementation, thereby reducing deployment costs.

FIG. 5 is a schematic structural diagram of a network device in thescenario shown in FIG. 1. The network device shown in FIG. 5 serves asthe network device in the procedure shown in FIG. 2, to implement thefunction of the network device in FIG. 2. The network device in FIG. 5includes a processor 51, a forwarding chip 52, ports 53, and a memory54. The ports 53 include a plurality of ports. The forwarding chip 52 isconnected to each of the ports 53.

The forwarding chip 52 and the memory 54 may be integrated with theprocessor 51 into a same physical component, or may be separate physicalcomponents. When the forwarding chip 52 and the memory 54 are integratedwith the processor 51 into a same physical component (for example, amulti-core CPU), the memory 54 is in the CPU, and the forwarding chip 52may be a core in the multi-core CPU. When the forwarding chip 52 and thememory 54 are separate physical components independent of the processor51, both the forwarding chip 52 and the memory 54 are connected to theprocessor 51. The forwarding chip 52 is further connected to the memory54.

When the memory 54 is a separate physical component, the memory 54includes but is not limited to a random access memory (RAM), a read-onlymemory (ROM), an erasable programmable read-only memory (EPROM), aternary content addressable memory (TCAM), a flash memory, an opticalmemory, or the like.

The memory 54 is configured to store the mapping relationship tableshown in Table 1 between a VLAN ID and a VNI and a forwarding table. Themapping relationship table is used to store a mapping from a VLAN ID toa VNI, and the mapping may be configured by a manager.

An entry in the forwarding table stores a mapping relationship between aMAC address of a terminal and a port number. The port number indicates aport on the network device. Optionally, each entry in the forwardingtable further stores at least one VLAN ID used to indicate a VLAN towhich a port is added. Table 2 is an example of an entry in theforwarding table of the network device 13 in FIG. 1. “00e0-d26b-8121” isthe MAC address of the terminal 11, “E1/0/0” indicates a port on thenetwork device 13, and the port is added to the VLAN indicated by theVLAN 10. Certainly, during actual storage, network devices fromdifferent vendors may store the mapping relationship between a MACaddress and a port number using different data structures.

TABLE 2 Number MAC address Port number VLAN ID 1 00e0-d26b-8121 E1/0/0VLAN 10 2 . . . . . . . . .

The forwarding chip 52 may access information in the memory 54.

A specific connection medium between the foregoing components is notlimited in this embodiment of this application, and is, for example, abus.

The processor 51 is configured to control the forwarding chip 52 toconfigure a VXLAN tunnel between the network device and another networkdevice.

The port 53 is configured to connect to an access device, or connect tothe another network device.

A first port in the ports 53 is connected to the access device, and thefirst port is configured to receive an Ethernet frame forwarded by theaccess device. A VLAN tag field in the Ethernet frame includes the VLANID.

The processor 51 is further configured to obtain, based on the VLAN IDincluded in the VLAN tag field in the Ethernet frame and the mappingshown in Table 1 from a VLAN ID to a VNI, the VNI to which the VLAN IDincluded in the VLAN tag field in the Ethernet frame is mapped, and adda VXLAN header to the Ethernet frame to obtain a VXLAN packet. The VXLANheader includes the VNI.

A second port in the ports 53 is configured to send the VXLAN packetobtained by the processor 51. Optionally, the second port sends theVXLAN packet to the another network device through the VXLAN tunnel. Forexample, a structure of the network device 13 in FIG. 1 is shown in FIG.5, and the network device 13 sends the VXLAN packet to the networkdevice 23.

If the network device shown in FIG. 5 obtains a VLAN ID of a terminaldevice in the manner 1 shown in FIG. 3B, the first port is configured toreceive an adding instruction from the access device. The addinginstruction includes the VLAN ID. The VLAN ID is sent by the accessdevice serving as an authenticator device to the network device afterthe terminal device is authenticated and the access device obtainsauthorization information of the terminal device. Optionally, the accessdevice encapsulates the VLAN ID into a control plane protocol packet, toobtain the adding instruction.

The processor 51 is configured to obtain the VLAN ID from the addinginstruction, and add the first port to a VLAN identified by the VLAN ID.Optionally, the processor decapsulates the control plane protocol packetto obtain the VLAN ID from the control plane protocol packet, and addsthe first port to the VLAN identified by the VLAN ID.

Optionally, a control plane protocol is LISP. In other words, the addinginstruction is an LISP packet. Herein, to distinguish the LISP packetserving as the adding instruction from a subsequent LISP packet withanother purpose, the LISP packet serving as the adding instruction isreferred to as a “first LISP packet”. Optionally, the processor 51implements the foregoing functions using different function modules. Forexample, the processor 51 includes an LISP support module, configured todecapsulate the first LISP packet based on a predetermined LISPextension format, to obtain the VLAN ID.

If the network device shown in FIG. 5 obtains a VLAN ID of a terminaldevice in the manner 2 shown in FIG. 3C, in other words, the networkdevice serves as an authenticator device, the processor 51 is furtherconfigured to establish an authentication channel between the networkdevice and the access device. The ports 53 include the plurality ofports, the first port is connected to the access device, and the firstport is configured to receive a first authentication packet from theaccess device. The first authentication packet is used in authenticationfor a supplicant device.

The processor 51 is configured to record a correspondence between thefirst port and a supplicant device address in the first authenticationpacket.

A third port in the ports 53 is configured to receive a secondauthentication packet from an authentication server. The secondauthentication packet includes the supplicant device address and theVLAN ID.

The processor 51 is further configured to add the first port to a VLANidentified by the VLAN ID, based on the supplicant device address andthe VLAN ID in the second authentication packet and the recordedcorrespondence between the first port and the supplicant device address.

Optionally, in an authentication process, an authentication packettransmitted between the network device and the access device isencapsulated using a control plane protocol. Optionally, the controlplane protocol is LISP. The first port is further configured to receivea second LISP packet from the access device. The first authenticationpacket is encapsulated into the second LISP packet.

For example, with reference to FIG. 3C, the first authentication packetis an EAPoL-Start packet, and the second authentication packet is aRADIUS Access-Accept packet. The RADIUS Access-Accept packet includesthe supplicant device address and authorization information, and theauthorization information includes the VLAN ID.

Optionally, the processor 51 is further configured to, after obtainingthe VLAN ID from the second authentication packet, send a bindinginstruction to the access device through the first port. The bindinginstruction includes the supplicant device address and the VLAN ID.Optionally, the network device encapsulates the supplicant deviceaddress and the VLAN ID using a control plane protocol, and then sends acontrol plane packet obtained through encapsulation to the accessdevice. Optionally, the control plane protocol is LISP.

Optionally, the processor 51 implements the foregoing functions usingdifferent function modules. For example, the processor 51 includes anLISP support module and an authentication module. The LISP supportmodule is configured to decapsulate, according to LISP, anauthentication packet (for example, an EAPoL-Start packet, an EAPResponse, or an EAP Challenge Response) that is sent by the accessdevice through the authentication channel, encapsulate, using LISP, anauthentication packet (for example, an EAP Request or an EAP ChallengeRequest) to be sent to the terminal device and then send a packetobtained through encapsulation to the access device through theauthentication channel, and encapsulate the VLAN ID using apredetermined LISP extension format and then send a packet obtainedthrough encapsulation to the access device through the authenticationchannel. The authentication module is configured to supportauthentication packet parsing, and perform corresponding processingaccording to an authentication procedure. For example, referring to FIG.3C, after the port 53 obtains an EAPoL-Start packet that is sent by theterminal device and that is obtained after decapsulation, theauthentication module generates an EAP Request packet, the LISP supportmodule encapsulates the EAP Request packet using the LISP extensionformat, and then sends the encapsulated EAP Request packet through theauthentication channel. For another example, after obtaining an EAPResponse packet through decapsulation, the authentication module sends aRADIUS Access-Request packet to the authentication server. Refer to FIG.3C and a related text description. Details are not described hereinagain.

Optionally, the LISP support module and/or the authentication module inthe processor 51 may be implemented using software, or may beimplemented using a core in the multi-core CPU.

The network device shown in FIG. 5 is applied to the scenario shown inFIG. 1, to implement the function of the network device in the procedureshown in FIG. 2. For another additional function implemented by eachcomponent in FIG. 5 and a process of interaction between each componentand another network element device (for example, the access device orthe authentication server), refer to the description of the networkdevice in the method embodiment shown in FIG. 2, FIG. 7A and FIG. 7B, orFIG. 11A and FIG. 11B. Details are not described herein again.

FIG. 6 is a schematic structural diagram of an access device in thescenario shown in FIG. 1. The access device shown in FIG. 6 serves asthe access device that is in FIG. 2 and that is connected to a networkdevice, to implement the function of the access device in the procedureshown in FIG. 2. The access device in FIG. 6 includes a processor 61, aforwarding chip 62, ports 63, and a memory 64. The ports 63 include aplurality of ports. The forwarding chip 62 is connected to each port.

The forwarding chip 62 and the memory 64 may be integrated with theprocessor 61 into a same physical component, or may be separate physicalcomponents. When the forwarding chip 62 and the memory 64 are integratedwith the processor 61 into a same physical component (for example, amulti-core CPU), the memory 64 is in the CPU, and the forwarding chip 62may be a core in the multi-core CPU. When the forwarding chip 62 and thememory 64 are separate physical components independent of the processor61, both the forwarding chip 62 and the memory 64 are connected to theprocessor 61. The forwarding chip 62 is further connected to the memory64.

When the memory 64 is a separate physical component, the memory 64includes but is not limited to a random-access memory (RAM), a read-onlymemory (ROM), an erasable programmable read-only memory (EPROM), aternary content-addressable memory (TCAM), a flash memory, an opticalmemory, or the like.

The memory 64 is configured to store a forwarding table and a userinformation table.

The forwarding chip 62 may access the forwarding table and the userinformation table in the memory 64.

A specific connection medium between the foregoing components is notlimited in this embodiment of this application, and is, for example, abus.

The forwarding table on the access device is similar to Table 2, and isnot repeatedly described herein. Each entry in the user informationtable stores an address (a MAC address or an IP address) of a terminaldevice, a user name of a user accessing a network using the terminaldevice, a number of a port on the access device, and authorizationinformation of the terminal device. The authorization informationincludes a VLAN ID. Table 3 is an example of an entry in the userinformation table of the access device 12 in FIG. 1. A user name is S1,“00e0-d26b-8121” is the MAC address of the terminal 11, “VLAN 10” is theauthorization information of the terminal 11, S1 is a user name of auser accessing a network using the terminal 11, and the terminal 11 isconnected to the port E1/0/0 of the access device 12.

TABLE 3 User Authorization Number name MAC address Port numberinformation 1 S1 00e0-d26b-8121 E1/0/0 VLAN 10 . . . . . .

The port 63 is configured to connect to the terminal device, and connectto the network device.

The processor 61 is further configured to, when an authentication packetsent by the terminal device after the terminal device gets online isreceived, create a new entry in the user information table, and write,to the newly created entry, an address of the terminal device and anumber of a port receiving the authentication packet. After the terminaldevice is authenticated, the processor 61 obtains the address of theterminal device and authorization information of the terminal device,finds the corresponding entry in Table 3 based on the address of theterminal device, and stores a VLAN ID in the authorization informationinto the entry. Storing the VLAN ID in the authorization informationinto Table 3 is equivalent to establishing a correspondence between theport number and the authorized VLAN ID, in other words, setting a valueof a first default VLAN of the port identified by the port number to theauthorized VLAN ID.

In an embodiment, if the network device connected to the access deviceshown in FIG. 6 obtains a VLAN ID using the method described in themanner 1 shown in FIG. 3B, the access device is an authenticator device.In the manner 1, the processor 61 of the access device is configured toobtain a VLAN ID allocated by an authentication server to anauthenticated supplicant device. A first port in the ports 63 isconnected to the network device, and the first port is configured tosend an LISP packet to a VXLAN tunnel end point VTEP device (namely, thenetwork device). The LISP packet includes the VLAN ID. The LISP packetis the foregoing adding instruction. To distinguish the LISP packet froman LISP packet with another purpose, the LISP packet further includes apacket type indicator. The packet type indicator is used to instruct theVTEP device to add a port receiving the LISP packet to a VLAN identifiedby the VLAN ID.

After the terminal device is authenticated, the processor 61 obtains,from the authorization information, the VLAN ID allocated by theauthentication server to the terminal device, and controls the firstport to send a first LISP packet to the network device connected to theaccess device. The first LISP packet includes the authorized VLAN ID ofthe terminal device. For example, referring to FIG. 3B, after the firstport receives a RADIUS Access-Accept packet sent by the authenticationserver, the processor 61 obtains other authorization information of theterminal device, for example, information such as the VLAN ID and agroup identifier, from the RADIUS Access-Accept packet, and controls thefirst port to send the VLAN ID to the network device using LISP.Optionally, the processor 61 implements the foregoing functions usingdifferent function modules. For example, the processor 61 includes anauthentication module and an LISP support module. The authenticationmodule is configured to complete an authentication process of theterminal device according to an authentication procedure. For details,refer to FIG. 3B and a related description. The LISP support module isconfigured to encapsulate the VLAN ID in the authorization informationbased on an LISP extension format, and send the encapsulated VLAN ID tothe network device.

Optionally, the processor 61 is further configured to determine a secondport connected to the supplicant device, and set a value of a defaultVLAN of the second port to the VLAN ID after obtaining the VLAN IDallocated by the authentication server to the authenticated supplicantdevice. The second port is further configured to receive an Ethernetframe from the supplicant device. A source address of the Ethernet frameis a MAC address of the supplicant device. The processor 61 adds a VLANtag including the VLAN ID to the Ethernet frame based on the defaultVLAN of the second port, and then forwards the Ethernet frame.

In an embodiment, if the network device connected to the access deviceshown in FIG. 6 obtains a VLAN ID using the method described in themanner 2 shown in FIG. 3C, the network device is an authenticatordevice. A first port in the ports 63 is connected to the terminaldevice, and the first port is configured to receive an authenticationpacket from the terminal device. The terminal device is a supplicantdevice. The processor 61 is configured to record a correspondencebetween the first port and a MAC address of the supplicant device thatis in the authentication packet. A second port in the ports 63 isconnected to the network device, and the second port is configured tosend the authentication packet to the network device. The network deviceis an authenticator device and a VXLAN tunnel end point VTEP device. Thesecond port is further configured to receive a binding instruction fromthe network device. The binding instruction includes an address (an IPaddress or the MAC address) of the supplicant device and the VLAN ID.The processor 61 is further configured to set a value of a default VLANof the first port to the VLAN ID based on the correspondence and theaddress, in the binding instruction, of the supplicant device.

Optionally, the authentication packet and the binding instruction areencapsulated using a control plane protocol. Optionally, the controlplane protocol is LISP. In this case, the second port sends a first LISPpacket to the network device. The authentication packet from theterminal device is encapsulated into the first LISP packet, and theterminal device accesses a network using the access device. The secondport, the port connected to the network device, is further configured toreceive a second LISP packet from the network device. The bindinginstruction, namely, the MAC address of the supplicant device and theVLAN ID, is encapsulated into the second LISP packet.

Optionally, the processor 61 implements the foregoing functions usingdifferent function modules. For example, the processor 61 includes anLISP support module and an authentication module. The LISP supportmodule is configured to encapsulate the authentication packet from theterminal device based on the LISP extension format, and send theencapsulated authentication packet (for example, an EAPoL-Start packet,an EAP Response, or an EAP Challenge Response) to the network devicethrough an authentication channel, and decapsulate a received LISPpacket sent by the network device to obtain an authentication packet(for example, an EAP Request or an EAP Challenge Request) from the LISPpacket, and then send the authentication packet to the terminal device.The LISP support module is further configured to, after the second portreceives the VLAN ID that is encapsulated by the network device usingthe LISP extension format, perform decapsulation to obtain the VLAN ID.The authentication module is configured to store, into the userinformation table, the authorization information obtained afterdecapsulation.

Optionally, the LISP support function module and the authenticationmodule in the processor 61 may be implemented using software, or may beimplemented using a core in the multi-core CPU.

Optionally, the first port is further configured to receive an Ethernetframe from the terminal device. A source address of the Ethernet frameis the MAC address of the supplicant device. The processor 61 is furtherconfigured to add a VLAN tag including the VLAN ID to the Ethernet framebased on the default VLAN of the first port, and then forward theEthernet frame.

The access device shown in FIG. 6 is applied to the scenario shown inFIG. 1, to implement the function of the access device in the procedureshown in FIG. 2. For another additional function implemented by eachcomponent in FIG. 6 and a process of interaction between each componentand another network element device (for example, the network device, theterminal device, or the authentication server), refer to a descriptionof the access device in the method embodiment shown in FIG. 2, FIG. 7Aand FIG. 7B, or FIG. 11A and FIG. 11B. Details are not described hereinagain.

FIG. 7A and FIG. 7B are schematic diagrams of a VXLAN implementationmethod according to an embodiment of this application. In the methodshown in FIG. 7A and FIG. 7B, an authenticator device is an accessdevice. After authenticating a terminal device and obtainingauthorization information that is set by an authentication server forthe terminal device, the access device sends an authorized VLAN ID ofthe terminal device to a network device using an extended LISP packetsuch that the network device obtains the authorized VLAN ID of theterminal. The network device adds a port connected to the access deviceto a VLAN identified by the VLAN ID. Subsequently, after receiving anEthernet frame from the access device, the network device searches amapping from a VLAN ID to a VNI for a corresponding VNI based on a VLANID in the Ethernet frame, and adds a VXLAN header to the Ethernet frameto obtain a VXLAN packet. A VNI field in the VXLAN header includes theVNI. An application scenario of FIG. 7A and FIG. 7B is shown in FIG. 1,and an authentication process is shown in FIG. 3B.

The method shown in FIG. 7A and FIG. 7B includes the following step 71to step 717.

Step 71: A manager configures a mapping from a VLAN ID to a VNI on thenetwork device 13. Similarly, the manager may also configure a mappingfrom a VLAN ID to a VNI on the network device 23. Optionally, on thenetwork device 13 and the network device 23, VLAN IDs mapped to a sameVNI may be the same or may be different.

Step 72: The terminal 11 gets online using an access device 12, andtriggers an authentication procedure of the terminal 11. After theterminal 11 is authenticated, the authentication server 50 sendsauthorization information of the terminal 11 to the access device 12.The authorization information includes a VLAN identifier “VLAN 10” ofthe terminal 11. Optionally, the authorization information furtherincludes a group identifier “Group 1” of the terminal 11. The groupidentifier of the terminal 11 is used to control access of the terminal11. A specific authentication process is shown in FIG. 3B, and is notrepeated herein.

Step 73: The access device 12 connects to the terminal 11 through a portE1/0/1, and the access device 12 sets a default VLAN of the port E1/0/1to a VLAN 10.

Step 74: The access device 12 sends a first LISP packet to the networkdevice 13. The first LISP packet includes the authorized VLAN ID of theterminal 11, namely, the VLAN 10.

In this embodiment of this application, the network device 13 isconnected to the access device 12 through a port indicated by a portnumber E1/0/0.

To carry the VLAN 10 using an LISP packet, an existing LISP packet needsto be extended. For ease of understanding, a field structure of the LISPprotocol is first shown in FIG. 8, and then an LISP protocol extensionmanner is described with reference to FIG. 9. For descriptions of fieldsin FIG. 8, refer to an existing standard document, for example, RFC6830. Details are not described herein.

In this embodiment of this application, for the first LISP packet sentby the access device 12 to the network device 13, a “Source RoutingLocator” in FIG. 8 is an LISP address of the access device 12, a“Destination Routing Locator” is an LISP address of the network device13, content written to a “Source Port” is statically configured ordynamically generated by the sender of the LISP packet, and a “DestPort” is 4342. Likewise, for an LISP packet sent by the network device13 to the access device 12, a “Source Routing Locator” is the LISPaddress of the network device 13, a “Destination Routing Locator” is theLISP address of the access device 12, a value of a “Dest Port” is avalue of the “Source Port” in the LISP packet sent by the access device12 to the network device 13, and a “Source Port” is 4342.

The first LISP packet in this embodiment is implemented by mainlyextending and defining a “LISP Message” part in FIG. 8. Details areshown in FIG. 9.

In this embodiment, the “LISP Message” part carries at least the VLAN10.

Optionally, when the access device and the network device transmitvarious types of different information to each other using LISP, acorresponding packet type indicator may be allocated to each type ofinformation such that a receiver can identify information carried in anLISP packet. As shown in FIG. 9, a “LISP Message” part in an extendedLISP packet includes a packet type indicator used to indicate that thisLISP packet includes a VLAN ID. Optionally, the packet type indicator isrepresented by an integer, and stored in a Type field. In thisembodiment, an integer “5” is used to indicate that this LISP packetincludes a VLAN ID. Actually, a value of the packet type indicator and alocation of the packet type indicator in the “LISP Message” part may beflexibly set, provided that both the access device and the networkdevice can identify the packet type indicator based on a predefinedformat, to determine a purpose of the LISP packet. With a first packettype indicator, the network device can identify the LISP packet used forencapsulating the authorized VLAN ID of the terminal, to obtain theauthorized VLAN ID of the terminal from the LISP packet.

Optionally, for ease of parsing, a Record field in the “LISP Message”part may be used to record a VLAN ID.

Optionally, after getting online, the terminal 11 may be disconnectedfrom a network for various reasons, for example, a charging excess, anddoes not access the network using the access device 12 for a relativelylong time. In this case, the access device 12 may set the default VLANof the port number E1/0/1 to another VLAN ID. To save storage space ofthe network device 13, the access device 12 needs to properly instructthe network device 13 to delete the port from a VLAN. For thisrequirement, in this embodiment of this application, an operationindicator may be further carried in the “LISP Message” part. Theoperation indicator is used to instruct the receiver of the extendedLISP packet to add a port to a VLAN, or may instruct the receiver of theextended LISP packet to delete a port from a VLAN.

In this embodiment, after the terminal 11 is authenticated, a “LISPMessage” part in the first LISP packet sent by the access device 12 tothe network device 13 carries a first operation indicator, and the firstoperation indicator is used to instruct the receiver to add the port tothe VLAN. After the first LISP packet is sent, a second LISP packet maybe further sent. The second LISP packet is in a format similar to thatof the first LISP packet. A difference is that, a “LISP Message” part inthe second LISP packet carries a second operation indicator, and thesecond operation indicator is used to instruct the receiver to deletethe port from the VLAN. Optionally, the operation indicator is carriedin an F field shown in FIG. 9. For example, the operation indicator isan integer, 0 instructs to add a port to a VLAN, and 1 instructs todelete a port from a VLAN.

Optionally, when the access device 12 is connected to a relatively largequantity of terminal devices, a plurality of terminal devices connectedto the access device 12 may all get online and authenticated within ashort time. To improve efficiency of communication between the accessdevice 12 and the network device 13, authorized VLAN IDs of theplurality of terminal devices may be carried in a same LISP packet. Inthis case, a Record Count field may be added to the “LISP Message” partin the first LISP packet, and a value of the field is used to indicate aquantity of Record fields carried in the LISP packet, as shown in FIG.9.

Optionally, the access device 12 may further add other information tothe first LISP packet. For example, the Record field carries an addresstype and an address of the terminal 11. For example, types of terminaldevice addresses include at least an IPv4 address, an IPv6 address, anda MAC address. For example, a number 1 is used to represent the IPv4address, a number 2 is used to represent the IPv6 address, and a number16389 is used to represent the MAC address. In this embodiment, anaddress type indicator is carried in an AFI sub-field of the Recordfield. The access device 12 adds the address of the terminal 11 to anEID sub-field of the Record field.

Step 75: The network device 13 receives the first LISP packet through aport E1/0/0, and obtains an authorized VLAN ID of the terminal 11,namely, the VLAN 10, from the first LISP packet.

Step 76: The network device 13 adds the port E1/0/0 to a VLANcorresponding to the VLAN 10.

Step 77: The terminal 11 accesses the terminal 21, and the access device12 receives, through the port E1/0/1, an Ethernet frame sent by theterminal 11.

Step 78: The access device 12 finds, based on a stored user informationtable, that the default VLAN of the port E1/0/1 is the VLAN 10, and addsthe VLAN 10 to a VLAN tag field in the Ethernet frame sent by theterminal 11.

Step 79: The access device 12 sends, to the network device 13, theEthernet frame with the VLAN tag field to which the VLAN 10 is added.

Step 710: The network device 13 receives the Ethernet frame through theport E1/0/0, and obtains, by querying a stored mapping relationshiptable (shown in Table 1) based on the VLAN 10 included in the Ethernetframe, a VNI 1000 to which the VLAN 10 is mapped.

Step 711: The network device 13 adds a VXLAN header to the receivedEthernet frame to obtain a VXLAN packet, where a VNI field in the VXLANheader includes the VNI 1000. A structure of the VXLAN header is shownin FIG. 10.

Step 712: The network device 13 sends the VXLAN packet to the networkdevice 23.

A process of processing, by the network device 23, a packet sent by theterminal 21 is similar to that of the network device 13, and is notrepeatedly described herein.

FIG. 11A and FIG. 11B are schematic diagrams of another VXLANimplementation method according to an embodiment of this application. Inthe method shown in FIG. 11A and FIG. 11B, an authenticator device is anetwork device. An authentication channel is established between anaccess device and the network device to transmit an authenticationpacket. Subsequently, after receiving an Ethernet frame from the accessdevice, the network device adds a VXLAN header to the Ethernet framebased on a mapping from a VLAN ID to a VNI and a VLAN ID in the Ethernetframe. The VXLAN header includes a VNI to which the VLAN ID in theEthernet frame is mapped. An application scenario of FIG. 11A and FIG.11B is shown in FIG. 1, and an authentication process is shown in FIG.3C.

The method shown in FIG. 11A and FIG. 11B includes the following step111 to step 1118.

Step 111: A manager configures a mapping from a VLAN ID to a VNI on thenetwork device 13. Similarly, the manager may also configure a mappingfrom a VLAN ID to a VNI on the network device 23. Optionally, on thenetwork device 13 and the network device 23, VLAN IDs mapped to a sameVNI may be the same or may be different.

Step 112: The network manager configures an IP address of the networkdevice 13 on the access device 12 for LISP communication between theaccess device 12 and the network device 13. Likewise, the networkmanager configures an IP address of the network device 23 on the accessdevice 22 for LISP communication between the access device 22 and thenetwork device 23.

Step 113: The terminal 11 gets online using the access device 12, andtriggers an authentication procedure of the terminal 11. The accessdevice 12 receives, through a port E1/0/1, an authentication packet sentby the terminal 11.

The access device 12 creates an entry in a user information table. Theentry includes a MAC address 00e0-d26b-8121 of the terminal 11 that isincluded in the authentication packet and the port E1/0/1 receiving theauthentication packet. It may be understood that, in differentauthentication procedures, authentication packets sent by the terminal11 to trigger the authentication procedures are different. Optionally,for example, in the standard 802.1X, the authentication packet sent bythe terminal 11 is an EAPoL-Start packet (as shown in FIG. 3C).

Step 114: The access device 12 performs LISP encapsulation on theauthentication packet sent by the terminal 11. To distinguish an LISPpacket obtained through encapsulation from the LISP packets in theprocedure shown in FIG. 7A and FIG. 7B, the LISP packet herein obtainedthrough encapsulation is referred to as a third LISP packet. The accessdevice 12 sends the third LISP packet to the network device 13.

To encapsulate the authentication packet using LISP, an LISP packetneeds to be extended. A field structure of the LISP protocol is shown inFIG. 8. For descriptions of fields in FIG. 8, refer to an existingstandard document, for example, RFC 6830. Details are not describedherein. The third LISP packet in this embodiment is implemented bymainly extending and defining a “LISP Message” part in FIG. 8. Detailsare shown in FIG. 12.

In this embodiment, the authentication packet EAPoL-Start sent by theterminal 11 is encapsulated into a “LISP Message” part in the third LISPpacket. As shown in FIG. 12, the “LISP Message” part in the third LISPpacket includes a packet type indicator. The packet type indicatorindicates that this LISP packet includes an authentication packet from ato-be-authenticated supplicant device. Optionally, the packet typeindicator is represented by an integer, and stored in a Type field. Inthis embodiment, an integer “6” is used to indicate that this LISPpacket includes an authentication packet from a to-be-authenticatedsupplicant device. Actually, a value of the packet type indicator and alocation of the packet type indicator in the “LISP Message” part may beflexibly set, provided that both the access device and the networkdevice can identify the packet type indicator based on a predefinedformat, to determine a purpose of the LISP packet. With the packet typeindicator, the network device and the access device can identify an LISPpacket used for encapsulating an authentication packet, to better assistin a terminal authentication process.

Optionally, as shown in FIG. 12, the access device 12 encapsulates theauthentication packet sent by the terminal 11 into an “Original packet”field in the “LISP Message” part.

Optionally, the “LISP Message” part may carry a port number, toimplement better compatibility with an existing authentication proceduresuch that there is no difference from the existing authenticationprocedure from a perspective of the terminal device. In an embodiment,for an authentication packet (for example, the EAPoL-Start and asubsequently sent EAP Response or EAP Challenge Response) sent by theterminal device to a network side, the access device 12 adds a number ofa port on the access device 12 to a “LISP Message” part. The portindicated by the port number is a port used when the access device 12receives the authentication packet sent by the terminal 11. Optionally,the port number is carried in a “Port” field in FIG. 12.

Step 115: The network device 13 decapsulates a third LISP packet sent bythe access device 12, to obtain the authentication packet encapsulatedinto the third LISP packet, namely, the authentication packet sent bythe terminal 11.

Both the access device 12 and the network device 13 support the LISPpacket extension manner shown in FIG. 12. The network device 13 mayperform a decapsulation process corresponding to the foregoingencapsulation process, to obtain the authentication packet. In anembodiment, the network device 13 obtains the encapsulatedauthentication packet from the “LISP Message” part in the extended LISPpacket in the format shown in FIG. 12.

Step 116: The network device 13 records a correspondence between asupplicant device address in the authentication packet and a portreceiving the third LISP packet. In this embodiment, the network device13 is connected to the access device 12 through a port E1/0/0, andreceives the packet from the access device 12 through the port E1/0/0.The to-be-authenticated supplicant device address in the authenticationpacket is the MAC address 00e0-d26b-8121 of the terminal 11. Therefore,the network device records a correspondence between the MAC address00e0-d26b-8121 of the terminal 11 and the port E1/0/0.

Step 117: The network device 13 performs an authentication process ofthe terminal 11 based on the authentication packet obtained throughdecapsulation.

In an embodiment, in the plurality of times of packet exchange in theauthentication process, the network device 13 processes, according tothe authentication procedure, a packet obtained after decapsulation, andencapsulates an authentication packet to be sent to the terminal 11 intoan LISP packet in an extended field format, and sends the LISP packetobtained through encapsulation to the access device 12.

For example, referring to FIG. 3C, after decapsulating the third LISPpacket sent by the access device 12 to obtain the EAPoL-Start packetsent by the terminal 11, the network device 13 generates an EAP Requestpacket, encapsulates the EAP Request packet into a “LISP Message” partin an LISP packet, and sends the LISP packet obtained throughencapsulation to the access device 12.

For another example, referring to FIG. 3C, after decapsulating an LISPpacket sent by the access device 12 to obtain the EAP Response packet,the network device 13 sends a RADIUS Access-Request packet to theauthentication server. After receiving a RADIUS Access-Challenge packetreturned by the authentication server, the network device 13 extracts anEAP Challenge Request packet from the RADIUS Access-Challenge packet,encapsulates the EAP Challenge Request packet into a “LISP Message” partin an LISP packet, and sends the LISP packet obtained afterencapsulation to the access device 12.

For another example, referring to FIG. 3C, after decapsulating anextended LISP packet sent by the access device 12 to obtain the EAPChallenge Response packet, the network device 13 sends a RADIUSAccess-Request packet to the authentication server. After receiving aRADIUS Access-Accept packet returned by the authentication server, thenetwork device 13 extracts an EAP Success packet from the RADIUSAccess-Accept packet, encapsulates the EAP Success packet into a “LISPMessage” part in an LISP packet, and sends the LISP packet obtainedafter encapsulation to the access device 12.

In a process of performing LISP encapsulation on an authenticationpacket (for example, the EAP Request, the EAP Challenge Request, or theEAP Success), the network device 13 encapsulates the authenticationpacket into a “LISP Message” part in an LISP packet. As shown in FIG.12, a “LISP Message” part in an extended LISP packet includes a packettype indicator used to indicate that this LISP packet is used to send anauthentication packet from the authentication server. Optionally, thepacket type indicator is represented by an integer, and stored in a Typefield. The integer indicating that this LISP packet is used to send anauthentication packet from the authentication server may be the same asor may be different from the integer indicating that this LISP packet isused to send an authentication packet from the to-be-authenticatedsupplicant device. In this embodiment, the same integer “6” is used toindicate that this LISP packet is used to send an authentication packetfrom the authentication server. In other words, a same packet typeindicator may be used to indicate a transmitted authentication packet,regardless of whether the authentication packet is from theto-be-authenticated supplicant device or from the authentication server.

Optionally, as shown in FIG. 12, the access device 12 encapsulates theauthentication packet to be sent to the terminal 11 into an “Originalpacket” field in the “LISP Message” part.

Optionally, the “LISP Message” part may carry a port number, toimplement better compatibility with an existing authentication proceduresuch that there is no difference from the existing authenticationprocedure from a perspective of the terminal device. In an embodiment,for an authentication packet (for example, the EAP Request, the EAPChallenge Request, or the EAP Success) sent by the network device to theterminal device, the network device 13 adds a number of a port on theaccess device 12 to a “LISP Message” part. The port indicated by theport number is a port used when the access device 12 sends anauthentication packet obtained after decapsulation to the terminal 11.Optionally, the port number is carried in a “Port” field in FIG. 12.

Step 118: After authenticating the terminal 11, the network device 13obtains a MAC address 00e0-d26b-8121 and authorization information ofthe terminal 11 from a RADIUS Access-Accept packet sent by theauthentication server 50, and obtains an authorized VLAN ID of theterminal 11, namely, a VLAN 10, from the authorization information.

Step 119: The network device 13 adds the port E1/0/0 to the VLAN 10based on the correspondence recorded in step 116 and the MAC address00e0-d26b-8121 and the VLAN 10 in the authorization information.

Step 1110: The network device 13 sends a fourth LISP packet to theaccess device 12. The fourth LISP packet carries the MAC address00e0-d26b-8121 and the authorization information of the terminal 11, andthe authorization information includes at least the VLAN ID.

To carry the MAC address 00e0-d26b-8121 and the authorizationinformation of the terminal 11 using the fourth LISP packet, an LISPpacket needs to be extended. In this embodiment, the “LISP Message” partin FIG. 8 is extended and defined. Details are shown in FIG. 13.

In this embodiment, a “LISP Message” part in the fourth LISP packetneeds to carry at least the VLAN identifier “VLAN 10” of the terminal 11and at least one of the MAC address 00e0-d26b-8121 and an IP address100.1.1.1 of the terminal 11.

As shown in FIG. 13, the “LISP Message” part in the fourth LISP packetincludes a packet type indicator used to indicate that this LISP packetincludes the MAC address of the terminal device and the VLAN ID.Optionally, the packet type indicator is represented by an integer, andstored in a Type field. For example, an integer “7” is used to indicatethat this LISP packet is used to send the MAC address of the terminaldevice and the authorization information. Actually, a value of thepacket type indicator and a location of the packet type indicator in the“LISP Message” part may be flexibly set, provided that both the accessdevice and the network device can identify the packet type indicatorbased on a predefined format, to determine a purpose of the LISP packet.With the packet type indicator, the access device can identify the LISPpacket used for encapsulating the MAC address and the authorizationinformation, to obtain the MAC address and the authorization informationfrom the LISP packet, and update the user information table.

Optionally, for ease of parsing, a Record field in the “LISP Message”part may be used to record a correspondence between an address and aVLAN identifier of a terminal. For example, a Record field may be usedto record a correspondence between the address and the VLAN identifierof the terminal 11. In an embodiment, the address of the terminal 11 iscarried in an endpoint identifier (EID) sub-field of the Record field,and the VLAN identifier “VLAN 10” is carried in a VLAN sub-field of theRecord field. Optionally, if the authentication server 50 does notauthorize the terminal 11, a value of the VLAN sub-field is set to 0.

Optionally, the access device may be further notified of a type of theaddress of the terminal device using the fourth LISP packet such thatthe access device directly performs parsing using a correspondingprotocol stack, thereby improving efficiency of parsing the extendedLISP packet by the access device to obtain the address of the userterminal, and efficiency of subsequent searching in the user informationtable.

Types of terminal device addresses include at least an IPv4 address, anIPv6 address, and a MAC address. Different address type indicators maybe used to represent corresponding types of terminal device addresses.For example, a digit is used to represent a corresponding type of aterminal device address. For example, a digit 1 is used to represent theIPv4 address, a digit 2 is used to represent the IPv6 address, and adigit 16389 is used to represent the MAC address. In this embodiment, anaddress type indicator is carried in an AFI sub-field of the Recordfield, as shown in FIG. 13.

Optionally, the access device may be further notified of a terminaldevice authentication result using the fourth LISP packet. Differentvalues of an authentication result indicator are used to indicateterminal device authentication results. For example, an integer 0 isused to indicate that authentication succeeds, and an integer 1 is usedto indicate that authentication fails. In this embodiment, theauthentication result indicator is carried in an S sub-field of theRecord field, as shown in FIG. 13.

Optionally, when the access device 12 is connected to a relatively largequantity of terminal devices, a plurality of terminal devices connectedto the access device 12 may all get online and authenticated within ashort time. To improve efficiency of communication between the accessdevice 12 and the network device 13, a plurality of correspondencesbetween a terminal device and authorization information may be carriedin a same fourth LISP packet. In this case, a Record Count field may beadded to the “LISP Message” part in the fourth LISP packet, and a valueof the field is used to indicate a quantity of Record fields carried inthe LISP packet, as shown in FIG. 13.

Step 1111: After receiving the fourth LISP packet, the access device 12obtains the MAC address 00e0-d26b-8121 and the VLAN 10 of the terminal11 from the fourth LISP packet, and stores the authorization informationof the terminal 11.

Step 1112: The access device 12 sets a default VLAN of the port E1/0/1to the VLAN 10.

Optionally, the access device 12 parses the fourth LISP packet using theformat shown in FIG. 13, to obtain the MAC address 00e0-d26b-8121 andthe authorization information of the terminal 11 from the fourth LISPpacket. The access device 12 finds, based on the MAC address00e0-d26b-8121 of the terminal 11, the corresponding entry in the userinformation table shown in Table 3, and adds, to the entry, theauthorization information, for example, the VLAN identifier “VLAN 10”,obtained by parsing the fourth LISP packet.

The entry including the MAC address 00e0-d26b-8121 of the terminal 11further includes the port E1/0/1 connected to the terminal 11. Addingthe VLAN 10 to the entry means setting the default VLAN of the portE1/0/1 to the VLAN 10.

Step 1113: The terminal 11 accesses the terminal 21, and the accessdevice 12 receives, through the port E1/0/1, an Ethernet frame sent bythe terminal 11.

Step 1114: The access device 12 finds the default VLAN 10 of the portE1/0/1 based on a stored user information table, and adds the VLAN 10 toa VLAN tag field in the Ethernet frame sent by the terminal 11.

Step 1115: The access device 12 sends, to the network device 13, theEthernet frame with the VLAN tag field to which the VLAN 10 is added.

Step 1116: The network device 13 receives the Ethernet frame through theport E1/0/0, and obtains, by querying the stored mapping (shown inTable 1) from a VLAN ID to a VNI based on the VLAN 10 included in theEthernet frame, a VNI 1000 to which the VLAN 10 is mapped.

Step 1117: The network device 13 adds a VXLAN header to the receivedEthernet frame to obtain a VXLAN packet, where a VNI field in the VXLANheader includes the found VNI 1000.

Step 1118: The network device 13 sends the VXLAN packet to the networkdevice 23.

A process of processing, by the network device 23, a packet sent by theterminal 21 is similar to that of the network device 13, and is notrepeatedly described herein.

An embodiment of this application further provides a VXLANimplementation system. The system includes a network device and anaccess device. The network device is connected to the access device, andthe network device supports a VXLAN function. A terminal device accessesa network using the access device. A structure of the system is shown inFIG. 1. For working procedures and structures of the network device andthe access device, refer to the descriptions in the foregoingembodiments.

All or some of the foregoing embodiments may be implemented usingsoftware, hardware, firmware, or any combination thereof. When beingimplemented using software, all or some of the embodiments may beimplemented in a form of a computer program product. The computerprogram product includes one or more computer instructions. When thecomputer program instructions are loaded and executed on a computer, allor some of the procedures or functions according to the embodiments ofthe present disclosure are generated. The computer may be ageneral-purpose computer, a dedicated computer, a computer network, oranother programmable apparatus. The computer instructions may be storedin a computer-readable storage medium or may be transmitted from acomputer-readable storage medium to another computer-readable storagemedium. For example, the computer instructions may be transmitted fromone website, computer, server, or data center to another website,computer, server, or data center in a wired (for example, a coaxialcable, an optical fiber, or a digital subscriber line (DSL)) or wireless(for example, infrared, radio, or microwave) manner. Thecomputer-readable storage medium may be any usable medium accessible bya computer, or a data storage device, such as a server or a data center,integrating one or more usable media. The usable medium may be amagnetic medium (for example, a floppy disk, a hard disk, or a magnetictape), an optical medium (for example, a digital versatile disc (DVD)),a semiconductor medium (for example, a solid state disk (SSD)), or thelike.

1. A Virtual eXtensible Local Area Network (VXLAN) method performed by anetwork device, comprising: obtaining a mapping from a virtual localarea network (VLAN) identifier (ID) to a VXLAN network identifier (VNI);receiving a first authentication packet from an access device via a portof the network device, wherein the first authentication packetauthenticates a supplicant device and comprises a supplicant deviceaddress of the supplicant device; recording a correspondence between theport and the supplicant device address; receiving a secondauthentication packet from an authentication server, wherein the secondauthentication packet comprises the supplicant device address and theVLAN ID of the supplicant device; adding the port to a VLAN identifiedby the VLAN ID based on the supplicant device address, the VLAN ID, andthe correspondence between the supplicant device address and the port;receiving, via the port, an Ethernet frame from the access device,wherein a VLAN tag field in the Ethernet frame comprises the VLAN ID;adding a VXLAN header to the Ethernet frame based on the VLAN ID and themapping to obtain a VXLAN packet, wherein the VXLAN header comprises aVNI field carries the VNI; and sending the VXLAN packet to anothernetwork device.
 2. The VXLAN method of claim 1, further comprisingsending a binding instruction to the access device, wherein the bindinginstruction comprises the supplicant device address and the VLAN ID. 3.The VXLAN method of claim 2, wherein the binding instruction is a secondLocator/Identifier Separation Protocol (LISP) packet.
 4. The VXLANmethod of claim 5, wherein the second LISP packet carries a secondpacket type indicator indicating that the binding instruction includes amedia access control (MAC) address and the VLAN ID.
 5. The VXLAN methodof claim 1, wherein the first authentication packet is a firstLocator/Identifier Separation Protocol (LISP) packet.
 6. The VXLAN ofclaim 5, wherein the first LISP packet further carries a first packettype indicator, and wherein the first packet type indicator indicatesthat the first LISP packet carries the first authentication packet.
 7. AVirtual eXtensible Local Area Network (VXLAN) implementation methodperformed by an access device, comprising: receiving a firstauthentication packet from a terminal device via a port of the accessdevice; recording a correspondence between the port and a media accesscontrol (MAC) address of the terminal device in the first authenticationpacket; sending a second authentication packet to a network device;receiving a binding instruction from the network device, wherein thebinding instruction comprises the MAC address and a virtual local areanetwork (VLAN) identifier (ID) of the terminal device; and setting adefault VLAN of the port to the VLAN ID based on the correspondence andthe MAC address.
 8. The VXLAN method of claim 7, further comprising:receiving an Ethernet frame from the terminal device via the port,wherein a source address of the Ethernet frame is the MAC address;adding a VLAN tag comprising the VLAN ID to the Ethernet frame based onthe default VLAN; and forwarding the Ethernet frame after adding theVLAN tag to the Ethernet frame.
 9. The VXLAN method of claim 7, whereinthe second authentication packet is a first Locator/IdentifierSeparation Protocol (LISP) packet.
 10. The VXLAN method of claim 9,wherein first LISP packet carries a first packet type indicatorindicating that the first LISP packet carries the second authenticationpacket.
 11. The VXLAN method of claim 7, wherein the binding instructionis a second Locator/Identifier Separation Protocol (LISP) packet. 12.The VXLAN method of claim 11, wherein the second LISP packet carries asecond packet type indicator indicating that the second LISP packetincludes the MAC address and the VLAN ID.
 13. A network device connectedto an access device, comprising: a first port; a second port; a thirdport; a memory configured to store instructions; and a processor coupledto the memory and configured to execute the instructions, which causethe processor to be configured to: obtain a mapping from a virtual localarea network (VLAN) identifier (ID) to a Virtual eXtensible Local AreaNetwork (VXLAN) network identifier (VNI), wherein the first port isconfigured to receive a first authentication packet from an accessdevice, wherein the first authentication packet is used to authenticatea supplicant device and comprises a supplicant device address of thesupplicant device; record a correspondence between the first port andthe supplicant device address, wherein the second port is configured toreceive a second authentication packet from an authentication server,wherein the second authentication packet comprises the supplicant deviceaddress and a VLAN ID of the supplicant device; add the first port to aVLAN identified by the VLAN ID based on the supplicant device addressand the VLAN ID and the correspondence between the supplicant deviceaddress and the first port, wherein the first port is further configuredto receive an Ethernet frame from the access device, wherein a VLAN tagfield in the Ethernet frame comprises the VLAN ID; and add a VXLANheader to the Ethernet frame based on the VLAN ID and the mapping toobtain a VXLAN packet, wherein the VXLAN header comprises a VNI fieldcarries the VNI, wherein the third port is configured to send the VXLANpacket to another network device.
 14. The network device of claim 13,wherein the first port is further configured to send a bindinginstruction to the access device, wherein the binding instructioncomprises the supplicant device address and the VLAN ID.
 15. The networkdevice of claim 13, wherein the first authentication packet is a firstLocator/Identifier Separation Protocol (LISP) packet, wherein the firstLISP packet carries a first packet type indicator indicating that thefirst LISP packet carries the first authentication packet.
 16. Thenetwork device of claim 13, wherein the binding instruction is a secondLISP packet, wherein the second LISP packet carries a second packet typeindicator indicating that the second LISP packet includes a MAC addressof the supplicant device and the VLAN ID.
 17. An access device,comprising: a first port configured to receive an authentication packetfrom a terminal device; a second port; a third port; a memory configuredto store instructions; and a processor coupled to the memory andconfigured to execute the instructions, which cause the processor to beconfigured to record a correspondence between the first port and a MediaAccess Control (MAC) address of the terminal device in theauthentication packet; wherein the second port is configured to: sendthe authentication packet to a network device; and receive a bindinginstruction from the network device, wherein the binding instructioncomprises the MAC address and a virtual local area network (VLAN)identifier (ID) of the terminal device; and wherein the instructionsfurther cause the processor to be configured to set a default VLAN ofthe first port to the VLAN ID based on the correspondence and the MACaddress.
 18. The access device of claim 17, wherein the first port isfurther configured to receive an Ethernet frame from the terminaldevice, wherein a source address of the Ethernet frame is the MACaddress, and wherein the instructions further cause the processor to beconfigured to: add a VLAN tag comprising the VLAN ID to the Ethernetframe based on the default VLAN; and forward the Ethernet frame throughthe second port after adding the VLAN tag to the Ethernet frame.
 19. Theaccess device of claim 17, wherein the authentication packet is a firstLocator/Identifier Separation Protocol (LISP) packet, wherein the firstLISP packet is carries a first packet type indicator indicating that thefirst LISP packet carries the authentication packet.
 20. The accessdevice of claim 17, wherein the binding instruction is a second LISPpacket, wherein the second LISP packet carries a second packet typeindicator indicating that the second LISP packet includes the MACaddress and the VLAN ID.